← Volver a CVEs
CVE-2021-31930
MEDIUM6.1
Descripcion
Persistent cross-site scripting (XSS) in the web interface of Concerto through 2.3.6 allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the First Name or Last Name parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed.
Detalles CVE
Puntuacion CVSS v3.16.1
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado5/19/2021
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0
Productos afectados
concerto-signage:concerto
Debilidades (CWE)
CWE-79
Referencias
https://github.com/concerto/concerto/pull/1558(cve@mitre.org)
https://github.com/concerto/concerto/security/advisories(cve@mitre.org)
https://github.com/concerto/concerto/pull/1558(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/concerto/concerto/security/advisories(af854a3a-2127-422b-91ae-364da2661108)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.